Chrome’s insane password security strategy

[Renegade]

Judge for yourself if this link:

chrome://settings/passwords

Is what you think of when you think of password management and security.

http://blog.elliottk...rd-security-strategy

I'm not going to quote the article - visit it - it has several screenshots and whatnot, and I'm too lazy to replicate the article here.

It's a good read. Do check out some of the links at the bottom of the article as well. e.g. Wired's response is basically, "Shut up. This is normal."

[4wd]

This isn't really that new, people have been asking for a Master Password feature, (ala Firefox), in Chrome since about 15 minutes after it obtained the ability to store passwords.

Google's response has always been the same: not interested.

[wraith808]

This isn't really that new, people have been asking for a Master Password feature, (ala Firefox), in Chrome since about 15 minutes after it obtained the ability to store passwords.

Google's response has always been the same: not interested.

-4wd (August 18, 2013, 12:27 AM)

I guess from the fact that no extensions exist that do that very thing that there's no way to lock down access to that URL with an extension?

[40hz]

Google's response has always been the same: not interested.

-4wd (August 18, 2013, 12:27 AM)

Besides, it would be just one more thing to wring their hands over and whine about "not legally being able to talk about it" next time the NSA comes calling...

Wired's response is basically, "Shut up. This is normal."

-Renegade (August 17, 2013, 10:55 PM)

Wired is no longer Wired as many of us remember it - and hasn't been since 1998. Wired is now owned by Advance Publications and managed by their Conde Nast <*choke*> subservient subsidiary company.

Need more really be said?

 

[Stoic Joker]

Wired's response is basically, "Shut up. This is normal."

-Renegade (August 17, 2013, 10:55 PM)

Wired is no longer Wired as many of us remember it - and hasn't been since 1998. Wired is now owned by Advance Publications and managed by their Conde Nast <*choke*> subservient subsidiary company.

Need more really be said?

 

-40hz (August 18, 2013, 11:54 AM)

So you're saying that the downside of being "wired" is a matter of who's finger is on the button at the end of the cattle prod wires?

if <Kzzzzeeeeeerrrrtttt> (Resistance == futile) got it;




...Yes I've been drinking.  

[Renegade]

...Yes I've been drinking. 

-Stoic Joker (August 18, 2013, 01:07 PM)

It's the only option left to deal with reality for people that have a clue.

[Edvard]

Aaaand it's in Chromium too.  Damn.  And it was such a fast browser... 

[4wd]

Aaaand it's in Chromium too.  Damn.  And it was such a fast browser...  

-Edvard (August 20, 2013, 09:20 PM)

Just had a look and Comodo Dragon does implement a Master Password:



Appears to work the same as Firefox's.

[Vurbal]

Google's response has always been the same: not interested.

-4wd (August 18, 2013, 12:27 AM)

Besides, it would be just one more thing to wring their hands over and whine about "not legally being able to talk about it" next time the NSA comes calling...

Wired's response is basically, "Shut up. This is normal."

-Renegade (August 17, 2013, 10:55 PM)

Wired is no longer Wired as many of us remember it - and hasn't been since 1998. Wired is now owned by Advance Publications and managed by their Conde Nast <*choke*> subservient subsidiary company.

Need more really be said?

 

-40hz (August 18, 2013, 11:54 AM)

The only thing Wired is much good for any more is covering issues that require membership in the International Brotherhood of Holier Than Thou Journalists because of the access and financial backing that comes along with it.

[oblivion]

This isn't really that new, people have been asking for a Master Password feature, (ala Firefox), in Chrome since about 15 minutes after it obtained the ability to store passwords.

Google's response has always been the same: not interested.

-4wd (August 18, 2013, 12:27 AM)

So don't let it store passwords at all, and do something with lastpass / roboform / password gorilla / keepass / whatever instead. Or, hell, run your browser from a Truecrypt container.

There's always another way to skin any given cat.

[Renegade]

So don't let it store passwords at all, and do something with lastpass / roboform / password gorilla / keepass / whatever instead. Or, hell, run your browser from a Truecrypt container.

There's always another way to skin any given cat.

-oblivion (August 21, 2013, 01:50 AM)

Now that you mention it... I get pretty bent out of shape about this... As is really bloody pissed.

----- Going to be a bit of history for those that don't know me -----

I first found DC through a review of ALZip here. I worked for ESTsoft at the time.

--- Enough history ---

ALPass does what 99.999% of people need/want. If you lose your ALPass master password, you're hosed. Completely hosed. Toast. Dead. Screwed.

http://www.altools.c.../ALTools/ALPass.aspx

ALPass (and ALToolbar) is a password manager where all encryption/decryption is done client side. ESTsoft couldn't help you recover a password if it wanted to.

THAT is what most people want. Clear text is just madness.

[oblivion]

There's always another way to skin any given cat.

-oblivion (August 21, 2013, 01:50 AM)

Now that you mention it... I get pretty bent out of shape about this... As is really bloody pissed.

-Renegade (August 21, 2013, 09:44 AM)

Easy, tiger.

ALPass does what 99.999% of people need/want.

I thought, here’s one I haven’t heard of, let alone tried. Oo. Roboform plus support and maybe even some integrity. Mm. Lots of yummy features. Excellent.

Then I saw the last line of text on the page.

ALPass requires Internet Explorer. It does not currently support Firefox, Opera, or other alternative web browsers.

Really? Even now?

Is there an emoticon for “disappointed”? 

If you lose your ALPass master password, you're hosed. Completely hosed. Toast. Dead. Screwed.

I know people get worried about the cloud, but the same is supposed to be true of Lastpass. Lastpass have Firefox and Chrome versions, I even managed -- after a fashion, and before I finally abandoned it -- to use the published workarounds for Opera. They even have an Android variant -- although that’s outside the things that are available for free, and it wasn’t quite as functional as I’d like.

Keepass (I seem to recall) has a linux variant. For that matter, although we’re all wary of the company behind the product after lots of us (yes, me included) had our lifetime licenses summarily revoked, Roboform’s security and functionality was years ahead of everyone else.

If these products delivered what people wanted, everyone would have them already. Something. Any-bloody-thing. No, what people want is not to have to think about it, and to be able to use PASSWORD123 on every website, banking service, data repository and fire alarm they ever meet or, better yet, nothing at all, and still to be able to complain, loudly and bitterly, that they’ve been let down by IT when their security is breached by some script kiddie with nothing better to do for ten minutes.

THAT is what most people want. Clear text is just madness.

I think, if I’m honest, most people want to feel secure without having to take many actions to ensure their own security. I KNOW I take password security more seriously than almost every normal (ie non-techie, non-geek) person I’ve ever met, and even I have a few frequently-used passwords stored in a CHS database. But there are people (no names, no pack drill) I know who COMPLAIN when their (carefully chosen and configured) DNS service stops them from routing a url via one of the snoopiest websites known to man because it means they can’t always click on a link in an email to a “bargain” new shiny thing.

There IS an overkill issue. Throw enough computer power at any stored, encrypted password and it’ll -- eventually -- be hacked. We tell people this and then that they have to use passwords they’ll struggle to remember and the last bit -- there’s a thing they can use to remember their passwords for them -- doesn’t make them feel that there’s a solution to the problem, it makes them feel like they’re handing over even more control to the technology brigade. And we wonder why people write their passwords down?

[Vurbal]

On the whole I'm not all that bothered about Chrome's lack of password security primarily because I think even the significantly better security in Firefox is insufficent. I mean it's reasonably good all the way up until you use it and from then until you close it not so much. While that's fine for keeping your roommate from accessing your passwords if that's all you're worried about either you're not worried enough about online security or you really need a different roommate.

Personally I use KeePass. Besides storing passwords it also makes for a reasonably secure file container for a few small files I like to keep on my thumb drive which also has KeePass on it. It's also a much better generic solution since it's not limited to entering passwords in browsers and has pretty good functionality for sending information to other programs.

Besides, even if Chrome had a password encryption scheme it would automatically be suspect as long as the NSA has Google at least halfway under their thumb. Which seems to justify my general policy of not trusting anybody to provide me with both cloud services and any type of sensitive information beyond the scope of those services.

[wraith808]

Besides, even if Chrome had a password encryption scheme it would automatically be suspect as long as the NSA has Google at least halfway under their thumb. Which seems to justify my general policy of not trusting anybody to provide me with both cloud services and any type of sensitive information beyond the scope of those services.

-Vurbal (August 21, 2013, 02:51 PM)

(thanks Ren!)

[tomos]

(see attachment in previous post)
(thanks Ren!)

-wraith808 (August 21, 2013, 03:10 PM)

Favourite to win The Most Popular Gif for 2013 Award

[Renegade]

Then I saw the last line of text on the page.

ALPass requires Internet Explorer. It does not currently support Firefox, Opera, or other alternative web browsers.

Really? Even now?

Is there an emoticon for “disappointed”? 

-oblivion (August 21, 2013, 10:26 AM)

You have no idea... I lobbied for FF support. (This is in the days before Chrome.)

(thanks Ren!)

-wraith808 (August 21, 2013, 03:10 PM)

Hehehe!  (It's gonna annoy the crap out of someone! )

[4wd]

On the whole I'm not all that bothered about Chrome's lack of password security primarily because I think even the significantly better security in Firefox is insufficent. I mean it's reasonably good all the way up until you use it and from then until you close it not so much.

-Vurbal (August 21, 2013, 02:51 PM)

Which is why anybody who uses Firefox' Master Password feature should at least be using the Master Password+ addon to at least give you auto-logout/lock capability, (but most of all to stop multiple simultaneous "Enter Master Password" prompts).

[xtabber]

Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.

[Renegade]

Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.

-xtabber (August 22, 2013, 10:05 AM)

Huh? Are they syncing passwords and account info?

When I read the first few words of your post, my first reaction was to just pull some smartass stuff like, "Hey, let me fix that for you:"

Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

-xtabber (August 22, 2013, 10:05 AM)

But jeez... Not even installing Chrome? Can you point us to any other resources or info?

Also - Stoic Joker - You know a few things about big data - care to jump in?

[wraith808]

Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.

-xtabber (August 22, 2013, 10:05 AM)

I don't think this is the case.  You have to actually sign into the browser.  Which I don't do.

[Vurbal]

On the whole I'm not all that bothered about Chrome's lack of password security primarily because I think even the significantly better security in Firefox is insufficent. I mean it's reasonably good all the way up until you use it and from then until you close it not so much.

-Vurbal (August 21, 2013, 02:51 PM)

Which is why anybody who uses Firefox' Master Password feature should at least be using the Master Password+ addon to at least give you auto-logout/lock capability, (but most of all to stop multiple simultaneous "Enter Master Password" prompts).

-4wd (August 21, 2013, 10:42 PM)

No disagreement there but that's no excuse for such a glaring oversight. I can understand not automatically having it time out. I don't condone it but I know most users don't appreciate the risks enough to put up with the slight inconvenience. Not even offering it as a basic option is indefensible.

Honestly I'd not only include it, I'd have it enabled automatically. Most people who want to turn it off would search for instructions rather than just opening the options to look for themselves. They'd at least be exposed to a bunch of information about why they should leave it on.

[Vurbal]

Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.

-xtabber (August 22, 2013, 10:05 AM)

I don't think this is the case.  You have to actually sign into the browser.  Which I don't do.

-wraith808 (August 22, 2013, 12:09 PM)

There are also options to selectively sync or not sync at all. And the data is encrypted before it leaves your computer. Actually the copies on Google's servers are probably a lot more secure than the ones on your computer.

The bigger problem IIRC is the default setting to sign you in automatically every time you open Chrome. In fact I don't even recall if that's a setting you can change and I think you also have to go to the Settings page to sign out even though the Sign In link is on every blank tab you open. That's just dishonest.

[wraith808]

The bigger problem IIRC is the default setting to sign you in automatically every time you open Chrome. In fact I don't even recall if that's a setting you can change and I think you also have to go to the Settings page to sign out even though the Sign In link is on every blank tab you open. That's just dishonest.

-Vurbal (August 22, 2013, 02:22 PM)

Which is why I don't ever do it.  And change my default page so I never see that trash again.

[xtabber]

Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.

-xtabber (August 22, 2013, 10:05 AM)

I don't think this is the case.  You have to actually sign into the browser.  Which I don't do.

-wraith808 (August 22, 2013, 12:09 PM)

That is correct, you must sign in to sync.  And once signed in, you must explicitly sign out or you will remain signed in for future session.  When you are signed in, everything you do is synced with your account on Google's servers.

Google's description of how Chrome sync works has the following warning:

Don't sign in to Chrome if you're using a public or untrusted computer. When you set up Chrome with your Google Account, a copy of your data is stored on the computer you're using and can be accessed by other people using the same computer. To remove your data, delete the user you are signed in as.

If you take Google at their word, this indicates that signing out still leaves the synced information stored locally.

Of course, you can use Chrome without ever signing in, but as soon as you do, you have no control over what is spread around through the sync function.  As I said, I use Android devices and I also have ported my home and business phone numbers to Google Voice to keep them when I dumped the landlines they were attached to.  This means I need to sign into my Google accounts regularly. I just don't use Chrome to do so, because I don't want whatever is cached locally from other sessions to be synced to those Google accounts.

[wraith808]

Of course, you can use Chrome without ever signing in, but as soon as you do, you have no control over what is spread around through the sync function.  As I said, I use Android devices and I also have ported my home and business phone numbers to Google Voice to keep them when I dumped the landlines they were attached to.  This means I need to sign into my Google accounts regularly. I just don't use Chrome to do so, because I don't want whatever is cached locally from other sessions to be synced to those Google accounts.

-xtabber (August 22, 2013, 10:10 PM)

Yes, you do.  The answer is... nothing.  As I said, I never sign in.  Not to the browser.  Not to the extension manager.  It's a pain doing everything myself, but I don't for the very reason that you say.  I don't use sync.  I use xmarks to sync my bookmarks, 1Password for my passwords, and just do everything else manually.